Care should be taken as to which ones to include

(1)

The System Initialisation Table has many options that affect security

Some affect the whole security environment

Some affect individual resources

Care should be taken as to which ones to include

(2)

Options that affect the whole CICS system : • SEC • SECPRFX • DFLTUSER • RESSEC 8.1 SECURING CICS

(3)

ACTIVE CLASSES = DATASET USER GROUP ACCTNUM ACICSPCT BCICSPCT CBIND CCICSCMD

DCICSDCT DSNR ECICSDCT FACILITY FCICSFCT GCICSTRN GXFACILI

HCICSFCT JCICSJCT KCICSJCT LOGSTRM MCICSPPT NCICSPPT

PCICSPSB PTKTDATA PTKTVAL QCICSPSB RCICSRES SCICSTST

SERVER STARTED SURROGAT TCICSTRN TSOAUTH TSOPROC UCICSTST

VCICSCMD WCICSRES XFACILIT

(4)

For transactions that are Attached :

XTRAN

TCICSTRN GCICSTRN

A user Classname can be defined but must be in the RACF User Class Descriptor Table

(5)

For DL1 PSBs

XPSB

PCICSPSB QCICSPSB

For Transient Data Queues XDCT

(6)

For File Control Table entries

XFCT

FCICSFCT HCICSFCT

For Journal Control Table entries XJCT

JCICSJCT KCICSJCT

(7)

For Transactions that are Started

XPCT

ACICSPCT BCICSPCT

For Programs and Mapsets XPPT

(8)

For Temporary Storage Queues

XTST

SCICSTST UCICSTST

For Session security with Binding LUTYPE6.2 sessions XAPPC

XCMD For Command Security CCICSCMD VCICSCMD

(9)

For Document Templates Resources

XRES

RCICSRES WCICSRES

(10)

Access to the CICS Application during Logon

The Applid needs to be defined in the APPL Class

All Users need READ access in order to Logon

VTAMAPPL allows CICS to open the VTAM ACB

(11)

During Logon CICS will invoke the Good Morning Transaction

CSGM is the default

CESN is provided for Signon CESF is provided for Signoff

CICS DFLTUSER is assigned to every terminal before signon

(12)

Access to the Terminal is provided by :

TERMINAL GTERMINL

System wide TERMINAL (READ)

CICS does not restrict logon and signon

(13)

Protecting CICS resources requires definitions to be made to RACF

RACF command RDEFINE is used to define transactions to either :

TCICSTRN GCICSTRN

The PERMIT command allows the group or User access

(14)

Lower level resources can be protected

The Transaction definition must specify RESSEC = YES

The appropriate resource Class is checked for access to that resource

Access to Files or any resource is controlled by the RDEFINE/PERMIT commands

(15)

• XTRAN = YES

• XDCT = YES

• XFCT = YES CHECKED BY RACF

• XPCT = YES

• XPPT = YES

• XPSB = YES

• XRES = YES

• XTST = YES

(16)

Programs that execute in the PLTPI need consideration These options are specified in the SIT :

• PLTPIUSR

• PLTPISEC

The shutdown PLT programs run under the authority of the shutdown transaction

(17)

The CICS segment in the RACF Userid allows individual users to be assigned their own operational properties :

 OPCLASS

 OPIDENT

 OPPRTY

 TIMEOUT

(18)

CICS API supports the QUERY SECURITY command

Can check on resources defined to CICS :

• Resources in CICS Resources Classes

• Resources in User-Defined Resource Classes

(19)

EXEC CICS QUERY SECURITY < RESTYPE(data-value) | RESCLASS)data-value) |

RESIDLENGTH(data-value) > RESID(data-value)

< LOGMESSAGE(cvda) | LOG | NOLOG > < ALTER(cvda) >

< CONTROL(cvda) > < READ(cvda) >

< UPDATE(cvda) > END-EXEC.

(20)

CICS resources that can be specified on the RESTYPE option : • FILE TDQUEUE • JOURNALNUM TRANSACTION • PROGRAM TRANSATTACH • PSB TSQUEUE • SPCOMMAND

(21)

CICS USER PROGRAM QUERY SECURITY RACF ADDRESS SPACE PROFILES AND CLASS DESCRIPTORS RACF DO I HAVE UPDATE ACCESS FOR FILEA IN FCICSFCT CLASS DESCRIPTOR ?

(22)

The CVDA is the CICS VALUE DATA AREA

It returns a status of the resource

The DFHVALUE defines the resource

Its included automatically by CICS during compile

(23)

EXEC CICS SIGNON USERID < PASSWORD > < NEWPASSWORD > END-EXEC. EXCEPTIONAL CONDITIONS

INVREQ NOTAUTH USERIDERR

(24)

EXEC CICS SIGNOFF END-EXEC.

EXCEPTIONAL CONDITIONS INVREQ

(25)

• The supplied Password is incorrect • A new Password is required

• A new Password is not acceptable • The Userid is revoked

• The Userid is not authorised to the Terminal

(26)

Type your userid and password, then press ENTER :

Userid . . . . Groupid. . . Password . .

Language . . New Password . . .

DFHCE3520 Please type your userid. F3 to Exit

SIGNON TO CICS APPLID DBDCCICS

(27)

The Master Terminal command can be protected, and the options it invokes

CEMT PERFORM SHUTDOWN

Access would be needed to all three CECI should be established the same

Both transactions require : CMDSEC = YES

(28)

8.11 INTERCOMMUNICATION SECURITY

• Bind-time security

• Link security

• Attach or user security

(29)

DEF CONNECTION OVERTYPE TO MODIFY

CICS RELEASE = 0650

Verify | Persistent

| Mixidpe BINDPassword : PASSWORD NOT SPECIFIED BINDSecurity ==> No No | Yes Usedfltuser ==> No No | Yes

(30)

BIND Password defines a remote Password that must be the same with the local Password

This Password is specified on the Connection definition

(31)

The BIND PASSWORD is protected in the following ways :

1. The BIND PASSWORD is never transmitted between systems

2. CICS does not store a readable copy of the password, either on the CSD or in internal control blocks

(32)

An alternative is BINDSECURITY

This allows the definition of RACF Session Keys

(33)

LINK SECURITY is handled by the SECURITYNAME option :

This option must specify the USERID of the incoming region

If Attachsec is LOCAL then its this name that is used for resource access in this region

(34)

For ATTACH or USER security the ATTACHSEC option is important :

ATTACHSEC :

LOCAL IDENTIFY VERIFY

Other options that affect LUTYPE6.2 are PERSISTANT and MIXIDPE

(35)

In every case where CICS is the incoming region then IDENTIFY should be specified

If the incoming region is not CICS and can give a Userid, then IDENTIFY should be specified

If the incoming region is a system that cannot give a Userid, then LOCAL should be specified